CVE-2016-7462 : The Suite REST API in VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to write

The Suite REST API in VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to write arbitrary content to files or rename files via a crafted DiskFileItem in a relay-request payload that is mishandled during deserialization.

Published 2016-12-29 09:59:01

Updated 2017-07-28 01:29:06

Source VMware

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2016-7462

Probability of exploitation activity in the next 30 days: 0.24%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 61 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-7462

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:S/C:N/I:P/A:C	8.0	7.8	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Complete
8.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H	3.1	4.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: None Integrity: Low Availability: High

CWE ids for CVE-2016-7462

CWE-264

Assigned by: nvd@nist.gov (Primary)
CWE-749 Exposed Dangerous Method or Function

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-7462

http://www.vmware.com/security/advisories/VMSA-2016-0020.html

VMSA-2016-0020
Vendor Advisory
https://www.tenable.com/security/research/tra-2016-34

[R1] VMWare vRealize Operations Manager Appliance Multiple Vulnerabilities Chained Remote Code Execution - Research Advisory | Tenable®
Technical Description;Third Party Advisory
http://www.securitytracker.com/id/1037297

VMware vRealize Operations REST API Deserialization Flaw Lets Remote Users Deny Service - SecurityTracker
http://www.securityfocus.com/bid/94351

VMware vRealize Operations CVE-2016-7462 Remote Code Execution Vulnerability

Products affected by CVE-2016-7462

Vmware » Vrealize Operations » Version: 6.2.1
cpe:2.3:a:vmware:vrealize_operations:6.2.1:*:*:*:*:*:*:*
Matching versions
Vmware » Vrealize Operations » Version: 6.3.0
cpe:2.3:a:vmware:vrealize_operations:6.3.0:*:*:*:*:*:*:*
Matching versions
Vmware » Vrealize Operations » Version: 6.1.0
cpe:2.3:a:vmware:vrealize_operations:6.1.0:*:*:*:*:*:*:*
Matching versions
Vmware » Vrealize Operations » Version: 6.2.0a
cpe:2.3:a:vmware:vrealize_operations:6.2.0a:*:*:*:*:*:*:*
Matching versions
Vmware » Vrealize Operations » Version: 6.0.0
cpe:2.3:a:vmware:vrealize_operations:6.0.0:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2016-7462

Exploit prediction scoring system (EPSS) score for CVE-2016-7462

CVSS scores for CVE-2016-7462

CWE ids for CVE-2016-7462

References for CVE-2016-7462

Products affected by CVE-2016-7462